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Detecting and Preventing Undesired Network Traffic 
From Being Sourced Out Of A Network Domain 

BACKGROUND OF THE INVENTION 

1. Field of the Invention 

The present invention relates to the field of networking. More specifically, the 
present invention relates to the monitoring and regulation of routing devices of 
network domains to detect and prevent undesirable network traffic from being 
sourced out of the network domains. 

2. Background Information 

With advances in integrated circuit, microprocessor, networking and 
communication technologies, increasing number of devices, in particular, digital 
computing devices, are being networked together. Devices are often first coupled to 
a local area network, such as an Ethernet based office/home network. In turn, the 
local area networks are interconnected together through wide area networks, such 
as ATM networks, Frame Relays, and the like. Of particular notoriety is the TCP/IP 
based global inter-networks, Internet. 

As a result of this trend of increased connectivity, increasing number of 
applications that are network dependent are being deployed. Examples of these 
network dependent applications include but are not limited to, email, net based 
telephony, world wide web and various types of e-commerce. Success of many of 
these content/service providers as well as commerce sites depend on the quality of 
service they provide. 
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Unfortunately, the connectivity that makes it possible for these servers to 
provide the content/service, also makes it very easy for hackers to launch denial of 
service (DOS) attacks against these servers. Compounding the misfortunes is the 
fact that often times, innocent systems are exploited in assisting the attacks, without 
5 the system owners even knowing their systems are being exploited. The 
exploitation not only may affect the level of services delivered by the exploited 
systems, it may also leave the exploited systems vulnerable to liability for the 
damages inflicted on the servers being attacked. 

To-date, all the known methods and apparatuses that can assist a system 
p 10 owner in protecting his/her systems from being exploited are basically intrusion 
Sj protection oriented. That is all the methods and apparatuses are substantially 

m oriented towards keep undesirable network traffics from entering a network domain 
%i and/or preventing unauthorized executing on the owner's systems. As experience 

^ have demonstrated, none of these methods and apparatuses is perfect. From time 

[7 15 to time, we learned that hackers are able to get through. Thus, additional methods 
J and apparatuses that can further prevent systems from being exploited in giving 

* z 

0 involuntary assistance to DOS attacks are desired. 



20 SUMMARY OF THE INVENTION 

The present invention provides for a novel approach to warning and/or 
protecting a system owner's system(s) from being exploited in providing involuntary 
assistance to a DOS attack. The present invention provides the protection by 
25 detecting and/or preventing undesirable or inappropriate network traffic from being 
sourced from a network domain. More specifically, a monitor/regulator is provided 
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to monitor network traffic leaving a network domain. The monitor/regulator 
determines if undesirable/inappropriate network traffics are leaving the network 
domain based on the observed characteristics of the outbound and inbound network 
traffics. In one embodiment, if it is determined that undesirable/inappropriate 
5 network traffics are leaving the network domain, the monitors/regulator at least 
issues warnings alerting system owners of the detection. In another embodiment, 
the monitor/regulator further issues regulation instruction(s) to boundary routing 
device(s) of the network domain(s), thereby preventing the network domain(s) from 
being exploited to source such undesirable/inappropriate network traffics. 
0 10 In one embodiment, the determination is made based on differential 

H characteristics of the outbound and inbound network traffics. In one embodiment, 
5 the differential characteristics are inferred from differences between observed 
q aggregated statistics of the outbound and inbound network traffics. In another 
m embodiment, the differential characteristics are aggregated from individual flow 
H 15 differences. 

5 In one embodiment, the monitor/regulator monitors and/or regulates a single 

9 boundary routing device of a network domain. In another embodiment, the 

monitor/regulator monitors and/or regulates multiple boundary routing devices of a 
network domain. In yet another embodiment, the monitor/regulator monitors and/or 
20 regulates boundary routing devices of multiple network domains, with each network 
domain having one or more routing devices. 

In one embodiment, the monitor/regulator is integrally implemented as a 
single component. In another embodiment, the monitor/regulator is distributedly 

implemented as separate components. 
25 In one embodiment, the monitor/regulator is independently implemented, i.e. 

externally and remotely disposed outside of the monitored/regulated routing 
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devices. In another embodiment, at least part of the monitor/regulator is integrally 
implemented with at least one of the monitored/regulated routing devices. 

5 BRIEF DESCRIPTION OF DRAWINGS 

The present invention will be described by way of exemplary embodiments, 
but not limitations, illustrated in the accompanying drawings in which like references 
denote similar elements, and in which: 
„ 10 Figure 1 illustrates an overview of the present invention, including a network 

S traffic monitor/regulator of the present invention, in accordance with one 
y embodiment; 

W Figure 2 illustrates a method view of the same invention, in accordance with 

1 

W one embodiment; 

M= 15 Figures 3a-3c illustrate the present invention in further details, in accordance 

o with three embodiments; and 

« n J* 

p Figure 4 illustrates an example digital system suitable for use to host a 

U software implementation of the network traffic monitor/regulator of the present 

invention, in accordance with one embodiment. 

20 

DETAILED DESCRIPTION OF THE INVENTION 

In the following description, various aspects of the present invention will be 
25 described. However, it will be apparent to those skilled in the art that the present 
invention may be practiced with only some or all aspects of the present invention. 
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For purposes of explanation, specific numbers, materials and configurations are set 
forth in order to provide a thorough understanding of the present invention. However, 
it will also be apparent to one skilled in the art that the present invention may be 
practiced without the specific details. In other instances, well known features are 

5 omitted or simplified in order not to obscure the present invention. 

Parts of the description will be presented in terms of operations performed by a 
processor based device, using terms such as receiving, analyzing, determining, 
instructing, and the like, consistent with the manner commonly employed by those 
skilled in the art to convey the substance of their work to others skilled in the art. As 

10 well understood by those skilled in the art, the quantities take the form of electrical, 
magnetic, or optical signals capable of being stored, transferred, combined, and 
otherwise manipulated through mechanical and electrical components of the 
processor based device; and the term processor include microprocessors, micro- 
controllers, digital signal processors, and the like, that are standalone, adjunct or 

15 embedded. 

Various operations will be described as multiple discrete steps in turn, in a 
manner that is most helpful in understanding the present invention, however, the 
order of description should not be construed as to imply that these operations are 
necessarily order dependent. In particular, these operations need not be performed 

20 in the order of presentation. The terms "routing devices" and "route" are used 

throughout this application, in the claims as well as in the specification. The terms as 
used herein are intended to be genus terms that include the conventional routers and 
conventional routing, as well as all other variations of network trafficking, such as, 
switches or switching, gateways, hubs and the like. Thus, unless particularized, the 

25 terms are to be given this broader meaning. Further, the description repeatedly uses 



Wetherall - Detecting & Preventing 
Undesirable Network Traffic ... 



Express Mail Label No: 
EL605310195US 



Attorney Docket Ref: 41007.P004 

the phrase "in one embodiment", which ordinarily does not refer to the same 
embodiment, although it may. 

Overview 

Referring now first to Figures 1-2, wherein two block diagrams illustrating a 
topological view and a method view of the present invention, in accordance with one 
embodiment, are shown. As illustrated by these figures, in accordance with the 
present invention, monitor/regulator 102 is advantageously provided to protect 
system owner of systems (not shown) located within network domain 104 from being 
exploited in providing involuntary assistance to a DOS attack against other systems 
(also not shown). Monitor/regulator 102 is equipped with logic to monitor or observe 
network traffics 106 routed between network domain 104 and internetworking fabric 
108 (block 202), and based on observations 110, determines if undesirable or 
inappropriate network traffics are being sourced out of network domain 104 into 
internetworking fabric 108 (block 204). If so, in one embodiment, monitor/regulator 
102 is further equipped to at least issue warnings alerting system owners of the 
detection. In another embodiment, monitor/regulator 102 is further equipped to 
regulate the boundary routing device or devices of network domain 104 (not shown), 
such as issuing regulation instructions 112 to the routing device(s) to prevent such 
undesirable or inappropriate network traffics from being sourced out of network 
domain 104 into internetworking fabric 108 (block 206), thereby reducing or 
eliminating the possibility of exploiting the systems of network domain 104. 

Network domain 104 and internetworking fabric 108 are intended to represent 
a broad range of local or wide area networks known in the art. For examples, 
network domain 104 may be a local area network of an enterprise, and 
internetworking fabric 108 is the private internetworking fabric of the enterprise, or 
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network domain 104 may be a wide area (such as a metropolitan area) network of 
an enterprise, and the internetworking fabric 108 is a public internetworking fabric 
(such as the Internet). 

5 First Embodiment 

Figure 3a illustrates a first embodiment of the present invention, wherein 
network domain 104' has a single egress point for network traffics 106 to leave 
network domain 104' and enters internetworking fabric 108. As described earlier, 
monitor/regulator 102' monitors or observes network traffics 106' routed between 
D 10 network domain 104' and internetworking fabric 108 through routing device 114' 
SJ (block 202), and based on observations 110', determines if undesirable or 
m inappropriate network traffics are being sourced out of network domain 104' into 
JL: internetworking fabric 1 08 through routing device 114' (block 204). If so, for one 
m implementation of the illustrated embodiment, monitor/regulator 102' at least issues 

f* 15 warnings alerting system owners of the detection. In another implementation, 

f 

O monitor/regulator 102' regulates routing device 114', issuing regulation instructions 

*• •* v 
ft <m/r*+ 
T* TP** 

O 1 1 2' to routing device 1 1 4' to "stop" routing certain traffic, to prevent the undesirable 
or inappropriate network traffics from being sourced out of network domain 104 into 
internetworking fabric 108 through routing device 114' (block 206). As a result, 
20 systems disposed inside network domain 104' are warned and/or protected from 
exploitation in providing involuntary assistance to DOS attacks against other 
systems. 

In one embodiment, routing device 114' is of a type equipped to provide 
aggregate characteristic statistics on network traffics 106' routed. Examples of 
25 these aggregate characteristic statistics include but are not limited to statistics for 
traffics of particular types routed in both the outbound and inbound directions. 
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[Outbound refers to network traffics routed from network domain 104' onto 
internetworking fabric 108', and inbound refers to the opposite.] Other examples of 
aggregate statistics include the number of bits per second (mbps), the number of 
packets per second, or the number of flows per second routed in each direction. [A 
5 flow may e.g. be a unique traffic conversation as indicated by a combination of 
source and destination addresses (and for certain protocol, port number also).] 
Further, the aggregate statistics may also include volume of data destined for 
specific destination addresses, lengths of packets, distribution of Time To Live 
values, and so forth. These other aggregated characteristic statistics may also be 

□ 10 provided by network traffic type. In other words, aggregate characteristic statistics 
3 may simply be whatever data necessary to provide the desired level of granularity in 
rn discerning undesirable versus desirable or appropriate versus inappropriate network 

1 F 

J; traffics. 

I £ 

W In alternate embodiments, for certain routing devices, if supported, the 

j"* 15 relevant data may additionally or alternatively be provided at the individual packet 

□ level (as opposed to being in the form of aggregate statistics) for all or selected 

t¥, : 

- Tr j- 

'T t» * 

0 flows. Similarly, any relevant data provided at the individual packet level may also 
be provided by network traffic type. 

Examples of traffic types include but are not limited to TCP SYN and FIN 
20 packets. Network traffic types may further include Web, Real Networks, Secure 
Web, Other TCP, Other UDP, ICMP, TCP packets with ACK set, TCP packets 
without SYN set, and so forth. In general, any information carried as part of the 
packets may be used as typing criteria to divide the network traffic into different 
traffic types. 
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Numerous routing devices with such data providing capability are known in 
the art, including but are not limited to routing devices available from CISCO 
Systems, or 3COM, both of San Jose, CA, or Juniper Network of Sunnyvale, CA. 
Monitor/regulator 102' monitors/observes network traffics 106' by periodically 
5 requesting routing device 1 14' to provide it with the aggregate characteristic 

statistics of network traffics 106' routed. In one embodiment, monitor/regulator 102' 
periodically requests routing device 114' to provide at least the aggregate 
characteristic statistics for the number of TCP SYN and FIN packets routed. In one 
embodiment, monitor/regulator 102' uses traffic flow records such as Cisco's netflow 
10 (which is intended to produce one record for each flow) to gather information. In 
% another embodiment, monitor/regulator 102' uses an access control list (ACL), and 
"2 commands associated therewith, such as "access-list" and "show access-list" to 

7, t 

J gather up the relevant data. These commands, including their operations and 
O constitutions, are known in the art. Additional information may be obtained from e.g. 
f 15 product literatures of various routing device manufacturers. In other embodiments, 
M° the relevant data may also be obtained through known network management 

fi services, such as Simple Network Management Protocol (SNMP), Remote 
□ Monitoring (RMON) or packet sampling (if one or more of these service are 
supported by the routing devices). 
20 As described earlier, based on the observed characteristics of traffic 106', 

monitor/regulator 102' determines whether undesirable/inappropriate network 
traffics are being sourced out of network domain 104' onto internetworking fabric 

108 through routing device 114'. 

In one embodiment, monitor/regulator 102' makes the determination based at 
25 least on the relative difference between the number of outbound TCP SYN and FIN 
packets and the number of inbound response packets responding to these packets. 



Wetherall - Detecting & Preventing 
Undesirable Network Traffic ... 



9 



Express Mail Label No: 

EL605310195US 



Attorney Docket Ref: 41007.P004 

Monitor/regulator 102' infers that undesirable/inappropriate traffics are being 
sourced out of network domain 104' if the difference exceeds a predetermined 
threshold. The predetermined threshold is empirically determined, and typically set 
a relatively high level. If notwithstanding the relatively high level, the threshold is still 
exceeded, the excess suggests that the target destinations of the TCP SYN and FIN 
packets may be unable to respond due to a deliberate concentration of network 
traffic targeting one or more destinations. Accordingly a high likelihood exists then, 
a substantial amount of these TCP SYN and FIN packets are associated with a DOS 
attack. 

In one embodiment, monitor/regulator 102' additionally or alternatively makes 
the determination based on the relative difference between the number of outbound 
TCP SYN and FIN packets destined for certain destinations, and the number of 
follow-on non-TCP SYN and FIN packets to the same destinations (typically 
representative of subsequent substantive requests from a destination after the initial 
connections established via the TCP SYN and FIN packets). Monitor/regulator 102' 
infers that undesirable/inappropriate traffics are being sourced out of network 
domain 104' if the difference exceeds a predetermined threshold. The 
predetermined threshold is also empirically determined. If the threshold is 
exceeded, the lack of follow-on substantive non-TCP SYN and FIN packets 
suggests that the target destinations of the TCP SYN and FIN packets may be just 
contacted to clog up the destinations. Accordingly a high likelihood exists then, a 
substantial amount of these TCP SYN and FIN packets are associated with a DOS 
attack. 

Those skilled in the art will appreciate that the above described detection and 
determination may be accomplished by reconfiguring the intrusion detection features 
equipped in many routing devices to operate in the outbound direction, as opposed 
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to operating in the inbound direction as designed. Further, the second 
determination provides for earlier warning (if the inference is correct), although 
potentially it may be less accurate (especially if the destinations are still able to 
respond). The relative amount of the two different types of risk to assume, i.e. 
falsely concluding a DOS attack is underway, versus a failure to conclude a DOS is 
underway, is an application dependent decision. 

In another embodiment where data are additionally or alternatively collected 
at the individual packet level, monitor/regulator 102' additionally or alternatively 
makes the determination based on the number of incomplete flows (e.g. outbound 
request packets not receiving reply packets). Similarly, a "large" number of 
incomplete flows, exceeding a predetermined threshold (empirically determined) 
suggests that the destinations of these incomplete flows are unable to respond, 
potentially due to the fact that they are being overwhelmed by a deliberate 
concentration of traffics against the destination. For this embodiment, 
monitor/regulator 102' additionally monitors for the response packets of the sampled 
flows. 

Similarly, like kind of analysis on whether substantive follow-up flows exist 
subsequent to the initial flows establishing connections between systems of network 
domain 104' and contacted destinations may also be performed to infer whether 
undesirable/inappropriate network traffics are being sourced out the network domain 
104'. 

In addition to the earlier described aggregate or flow level analysis of TCP 
SYN and FIN packets, the earlier described analyses may also be performed to 
detect other types of "flood" attacks, including but are not limited to TCP NUL 
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packets (with no flags set), RST packets, DNS requests (UDP port 53). Again each 
of these corresponding thresholds may be empirically determined. 

Further, the earlier described analyses may similarly be performed to detect 
Smurf or Fraggle type of DOS attacks. For examples, the earlier described 
5 analyses may be performed to detect for outgoing ICMP echo reply packets (Smurf) 
or UDP echo "reply" packets (Fraggle) destined for a particular (victim) destination. 
Alternatively, the earlier described analyses may also be performed to detect for 
outgoing ICMP echo request packets (Smurf) or UDP echo "request" packets 
(Fraggle) destined for a "broadcast" address. However, these analyses may be 
10 performed, examining only the data for the outbound direction. 
3 Thus, it can be seen the present invention may be employed to detect 

□ undesirable or inappropriate network traffics headed directly for the victim 
f[J destinations or indirectly via third parties, as well as undesirable or inappropriate 
H network traffics sourced directly out of the network domain or indirectly first 

L 15 originating from third parties (and subsequently going through the network domain), 
if In any event, if monitor/regulator 102' concludes that 

5 undesirable/inappropriate network traffics are not being sourced out network domain 
O 104', monitor/regulator 1 02' takes no further action. On the other hand, if 

monitor/regulator 102' concludes that undesirable/inappropriate network traffics are 
20 being sourced out network domain 104', in one embodiment, monitor/regulator 102' 
issues at least warnings alerting system owners of the detections. The warnings 
may be delivered in any one of a number of form factors, including electronic 
messages (delivered e.g. to control consoles, pagers and the like), faxes, audio 
messages, and the like. For the illustrated embodiment, monitor/regulator 102' 
25 further instructs routing device 114' to regulate the manner in which routing device 
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114' routes traffics 106' onto internetworking fabric 108, to attempt to "stop" these 
undesirable/inappropriate traffics from being sourced out of network domain 104'. 

For examples, monitor/regulator 102' may instruct routing device 114' to drop 
certain types of packets, or packets destined for certain destinations. Alternatively, 
5 monitor/regulator 1 02' may instruct routing device 1 14' to lower the routing priority of 
these packets or limiting the amount of bandwidth being given for these packets, 
thereby slowing the rate or reducing the volume of these packets from being 
sourced out of network domain 104'. As a result, monitor/regulator 102' effectively 
"stops" the undesirable/inappropriate network traffics from being sourced out of 
O 10 network domain 104'. In one embodiment, monitor/regulator 102' uses interface 
H related commands such as "show interface rate-limit" and "rate-limit" to regulate and 

S S 

IP de-regulate routing device 114'. The functions and constitutions of these 
□ commands are also known in the art, accordingly will not be further described. 

7 h z 

7* While for ease of understanding, monitor/regulator 1 02" is shown as 

[I 15 externally disposed away from routing device 114', the present invention may be 
a! practiced with monitor/regulator 102" implemented as a standalone component, 

" independently and externally disposed away from routing device 114', or 

alternatively, the present invention may be practiced with monitor/regulator 102" 
integrally implemented in whole or in part, as a portion of routing device 114'. 

20 

Second Embodiment 
Figure 3b illustrates a second embodiment of the present invention, wherein 
network domain 104" has multiple egress points for network traffics 106" to leave 
network domain 104" and enters internetworking fabric 108. As described earlier, 
25 monitor/regulator 1 02" monitors network traffics 1 06", determines if 

undesirable/inappropriate network traffics are being sourced out of network domain 
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104". If so, monitor/regulator 102" takes appropriate action to warn and/or "stop" 
the undesirable/inappropriate network traffics from being sourced out of network 
domain 104". As the earlier described embodiment, monitor/regulator 102" 
periodically requests characteristic data of network traffics 106" routed, except 
instead of making such requests of only one routing device, monitor/regulator 102" 
makes the periodic requests with all the boundary routing devices, such as routing 
device 114"a as well as routing device 114"b. Accordingly, systems disposed 
inside network domain 104" are protected from exploitation in providing involuntary 
assistance to DOS attacks against other systems, or their owners may at least be 
warned of such exploitations. 

Similarly, when monitor/regulator 102" makes it determination on whether 
undesirable/inappropriate network traffics are being sourced out of network domain 
104", monitor/regulator 102" takes all the data received into consideration. That is, 
when analyzing the data received from routing device 114"a, monitor/regulator 102" 
adds or otherwise factors into consideration the data received from routing device 
114"b. Similarly, when analyzing the data received from routing device 114"b, 
monitor/regulator 102" adds or otherwise factors into consideration the data 
received from routing device 114"a. As described earlier, the data may be any one 
of the example data enumerated above, aggregated or at individual flow level. 

By aggregating or otherwise takes into consideration characteristic data of 
network traffics sourced out of routing device 114"a as well as routing device 114"b, 
monitor/regulator 102" is made more sensitive, and be able to detect 
undesirable/inappropriate network traffics being sourced out network domain 104", 
even though the decision metrics may not be exceeded at the individual boundary 
routing devices 1 14"a and/or 1 14"b. 
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In one embodiment, monitor/regulator 102" warns the owner(s) of the 
systems of network domain 104" of the detection. For the illustrated embodiment, 
monitor/regulator 102" determines the regulation instructions, if needed, separately 
for the different routing devices. That is, monitor/regulator 102" determines 
separate regulation instructions, if any, for the different routing devices. In alternate 
embodiment, monitor/regulator 102" may determine the regulation instructions 
collectively, and have the regulation instructions be applied to all routing devices 
uniformly. 

As alluded to earlier, while for ease of understanding, monitor/regulator 102" 
is shown as externally disposed away from routing devices 114"a and 114"b, the 
present invention may be practiced with monitor/regulator 102" implemented as a 
standalone component, independently and externally disposed away from routing 
device 114', or alternatively, the present invention may be practiced with 
monitor/regulator 102" distributively, with at least a part of monitor/regulator 102" 
integrally implemented as a part of routing device 1 14"a and/or routing device 
114"b, as long as the distributed pieces are communicatively coupled to each other 
and be able to cooperatively practice the present invention. 

Third Embodiment 
Figure 3c illustrates a third embodiment of the present invention, wherein 
monitor/regulator 102"' monitors and regulates network traffics sourced out of 
multiple network domains, e.g. network domains 104"'a as well as network domains 
104"'b. Each network domain 104'"a/104'"b has one or more egress points for 
network traffics 106"' to leave the particular network domains 104'"a/104"'b, and 
enters internetworking fabric 108. As described earlier, monitor/regulator 102"' 
monitors network traffics 106'", determines if undesirable/inappropriate network 
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traffics are being sourced out of network domain 104"'a and/or 104'"b. If so, 
monitor/regulator 102"' takes appropriate action to warn and/or "stop" the 
undesirable/inappropriate network traffics from being sourced out of network domain 
104"'a and/or 104b"'. Accordingly, systems disposed inside network domain 104" 
are protected from exploitation in providing involuntary assistance to DOS attacks 
against other systems, or their owners be at least alerted of their exploitations. 

As the earlier described embodiment, monitor/regulator 102'" periodically 
requests characteristic data of network traffics 106'" routed, except instead of 
making such requests of only routing device or device(s) of one network domain, 
monitor/regulator 102"' makes the periodic requests with all the boundary routing 
devices, such as routing device 114"a as well as routing device 114"b, of all 
network domains 104"'a and 104'"b. 

Similarly, when monitor/regulator 102'" makes it determination on whether 
undesirable/inappropriate network traffics are being sourced out of network domain 
104"'a and/or 104'"b, monitor/regulator 102"' takes all the data received into 
consideration. That is, when analyzing the data received from routing device 114"'a 
of network domain 114"'a, monitor/regulator 102"' adds or otherwise factors into 
consideration the data received from other routing devices of the same or other 
network domains, such as routing device 114'"b of network domain 104'"b. 
Likewise, when analyzing the data received from routing device 114'"b of network 
domain 104"'b, monitor/regulator 102"' adds or otherwise factors into consideration 
the data received from other routing devices of the same or other network domains, 
such as routing device 114'"a of network domain 104'"a. As described earlier, the 
data may be any one of the example data enumerated above, aggregated or at 
individual flow level. 
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By aggregating or otherwise takes into consideration characteristic data of 
network traffics sourced out of other network domains, monitor/regulator 102"' is 
made even more sensitive, and be able to detect undesirable/inappropriate network 
traffics being sourced out network domain 104"'a and/or network domain 104"'b, 
5 even though the decision metrics may not be exceeded at the individual routing 
devices and/or the individual network domains. For example, upon determining that 
undesirable network traffics are being sourced out of one domain, the threshold 
criteria for concluding that undesirable network traffics are being sourced out of 
another domain may be "lowered", as the probability of erroneously concluding that 
O 10 a domain is also being exploited to support the attack is substantially lower, given it 
SJ has already been determined another domain is being exploited to source an attack. 
m Accordingly, under this embodiment, the detection and prevention can 

0 advantageously leverage on information learned and/or determination made for 

£ *» ¥ 
H 'I » 

other domains. 

ft 15 In one embodiment, monitor/regulator 102"' warns the owner(s) of the 

'WW 

9 systems of network domain 104"' of the detection. For the illustrated embodiment, 

iff: ; J 

1 r ss? 

0 monitor/regulator 102"' determines the regulation instructions, if needed, separately 
for the different routing devices of the different network domains. That is, 
monitor/regulator 102"' determines separate regulation instructions, if any, for the 
20 different routing devices of the different network domains. In alternate embodiment, 
monitor/regulator 102"' may determine the regulation instructions collectively, and 
have the regulation instructions be applied to all routing devices of all network 
domains uniformly. 

As alluded to earlier, while for ease of understanding, monitor/regulator 102"' 
25 is shown as externally disposed away from routing devices 1 14"'a and 1 14"'b, the 
present invention may be practiced with monitor/regulator 102"' implemented as a 
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standalone component, independently and externally disposed away from routing 
devices 114"'a and 114"'b, or alternatively, the present invention may be practiced 
with monitor/regulator 102"' distributively implemented, with at least a part of 
monitor/regulator 102"' integrally implemented as a portion of routing device 114"'a 
5 and/or routing device 1 14"'b, as long as the distributed pieces are communicatively 
coupled to each other and be able to cooperatively practice the present invention. 



Exam ple Host Digital System 

Figure 4 illustrates an example digital system suitable for use as a host to a 
O 10 software implementation of monitor/regulator, in accordance with one embodiment. 
;H As shown, digital system 400 includes processor 402, and system memory 404. 
CP Additionally, digital system 400 includes mass storage devices 406 (such as 

!r « 

5 diskette, hard drive, CDROM and so forth), input/output devices 408 (such as 
7 keyboard, cursor control and so forth) and communication interfaces 410 (such as 
U 15 network interface cards, modems and so forth). The elements are coupled to each 
m other via system bus 412, which represents one or more buses. In the case of 

H multiple buses, they are bridged by one or more bus bridges (not shown). Each of 

these elements performs its conventional functions known in the art. In particular, 
system memory 404 and mass storage 406 are employed to store a working copy 
20 and a permanent copy of the programming instructions implementing the 

monitor/regulator teachings of the present invention. The permanent copy of the 
programming instructions may be loaded into mass storage 406 in the factory, or in 
the field, as described earlier, through a distribution medium (not shown) or through 
communication interface 410 (from a distribution server (not shown). The 
25 constitution of these elements 402-412 are known, and accordingly will not be 
further described. 
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Conclusion and Epilogue 

Thus, it can be seen from the above descriptions, a novel method and 
apparatus for protecting a system owner's systems from being exploited in providing 
involuntary assistance to DOS attacks, through detection and/or stopping 
undesirable/inappropriate network traffics from being sourced out of the owner's 
network domain has been described. 

While the present invention has been described in terms of the above 
illustrated embodiments, those skilled in the art will recognize that the invention is not 
limited to the embodiments described. The present invention can be practiced with 
modification and alteration within the spirit and scope of the appended claims. For 
examples, as alluded to earlier, the present invention may be practiced with more or 
less sensors, more directors, and so forth. Thus, the description is thus to be 
regarded as illustrative instead of restrictive on the present invention. 
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CLAIMS 

What is claimed is: 
11. A network comprising: 

2 a first network domain including a first routing device for routing network 

3 traffic out of and into the first network domain; and 

4 a monitor/regulator either integrally disposed in said first routing device or 

5 coupled to the first routing device to monitor the network traffic routed by said first 

6 routing device, and determine if the first network domain is sourcing undesirable 
C; 7 network traffic out of the first network domain . 

K 1 2. The network of claim 1 , wherein said monitor/regulator makes said 

2 2 determination based on differential characteristics of network traffic routed out of 

U 3 said network domain, and network traffic routed into the network domain. 

g 1 3. The network of claim 2, wherein said monitor/regulator infers said differential 

® 2 characteristics based on aggregated statistics of said network traffic routed out of 

3 said network domain, and aggregated statistics of said network traffic routed into the 

4 network domain. 

1 4. The network of claim 2, wherein said monitor/regulator aggregates said 

2 differential characteristics based on differential characteristics between request 

3 packets routed out of said network domain, and response packets routed into the 

4 network domain. 
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1 5. The network of claim 1 , wherein said monitor/regulator, upon determining 

2 undesirable network traffics are being sourced our of said first domain, further stops 

3 said undesirable network traffic from being sourced out of said first domain. 



1 6. The network of claim 1 , wherein 

2 said first network domain further comprises a second routing device for 

3 routing network traffic out of and into the first network domain; 

4 said monitor/regulator further monitors the network traffic routed by said 

5 second routing device, and determines if the first network domain is sourcing 

P 6 undesirable network traffic out of the first network domain based on network traffic 

¥, it - 

\J 7 characteristics observed of network traffic routed through said first and second 

y"»f<-' 
E <* 

pi 8 routing devices. 

K ■» Z 

f 1 7. The network of claim 6, wherein said monitor/regulator determines if 

2 undesirable network traffics are being routed out of said first network domain 

S 3 through said first routing device based on network traffic characteristics observed of 

ry 

2 4 network traffic routed through said second as well as said first routing device. 



1 8. The network of claim 6, wherein said monitor/regulator determines if 

2 undesirable network traffics are being routed out of said first network domain 

3 through said second routing device based on network traffic characteristics 

4 observed of network traffic routed through said first as well as said second routing 

5 device. 



1 9. The network of claim 6, wherein said monitor/regulator, upon determining 

2 undesirable network traffics are being sourced out of said first network domain, 
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3 further stops said undesirable network traffic from being sourced out of said first 

i 

4 network domain. 



1 1 0. The network of claim 1 , wherein 

2 said network further comprises a second network domain including a second 

3 routing device for routing network traffic out of and into the second network domain; 

4 said monitor/regulator further monitors the network traffic routed by said 

5 second routing device, and determines if at least a selected one of the first and 

6 second network domains is sourcing undesirable network traffic out of the selected 
O 7 one of the first and second network domains based on network traffic characteristics 
H 8 observed of network traffic routed through said first and second routing devices. 

□ 1 11. The network of claim 1 0, wherein said monitor/regulator determines if 

B T I 

; fe 2 undesirable network traffics are being routed out of said first network domain 

ft 3 throuqh said first routing device based on network traffic characteristics observed of 

H 4 network traffic routed through said second as well as said first routing device. 

* ►ft*" 

1 1 2. The network of claim 1 0, wherein said monitor/regulator determines if 

2 undesirable network traffics are being routed out of said second network domain 

3 through said second routing device based on network traffic characteristics 

4 observed of network traffic routed through said first as well as said second routing 

5 device. 

1 1 3. The network of claim 10, wherein said monitor/regulator, upon determining 

2 undesirable network traffics are being sourced out of at least a selected one of said 
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3 first and second network domains, further stops said undesirable network traffic from 

4 being sourced out of said first and second network domains. 



1 14. A network traffic regulation method comprising: 

2 monitoring network traffic routed by a first routing device of a first network 

3 domain; and 

4 determining if the first network domain is sourcing undesirable network traffic 

5 out of the first network domain. 



1 1 5. The method of claim 1 4, wherein said determining comprises determining 

2 based on differential characteristics of network traffic routed out of said network 

3 domain, and network traffic routed into the network domain. 



1 1 6. The method of claim 1 5, wherein said determining comprises inferring said 

2 differential characteristics based on aggregated statistics of said network traffic 

3 routed out of said network domain, and aggregated statistics of said network traffic 

4 routed into the network domain. 



1 1 7. The method of claim 1 5, wherein said determining comprises aggregating 

2 said differential characteristics based on differential characteristics between request 

3 packets routed out of said network domain, and response packets routed into the 

4 network domain. 



1 18. The method of claim 14, wherein the method further comprises stopping 

2 undesirable network traffics from being sourced out of said first network domain 
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19. The method of claim 14, wherein the method further comprises 
monitoring network traffic routed by a second routing device of said first 

network domain; and 

determining if the first network domain is sourcing undesirable network traffic 
out of the first network domain based on network traffic characteristics observed of 
network traffic routed through said first and second routing devices. 

20. The method of claim 19, wherein said determining comprises determining if 
undesirable network traffics are being routed out of said first network domain 
through said first routing device based on network traffic characteristics observed of 
network traffic routed through said second as well as said first routing device. 

21 . The method of claim 19, wherein said determining comprises determining if 
undesirable network traffics are being routed out of said first network domain 
through said second routing device based on network traffic characteristics 
observed of network traffic routed through said first as well as said second routing 
device. 

22. The method of claim 19, wherein the method further comprises stopping 
undesirable network traffic from being sourced out of the first network domain. 

23. The method of claim 19, wherein the method further comprises 
determining if at least a selected one of the first and a second network 

domain is sourcing undesirable network traffic out of the selected one of the first and 
second network domains based on network traffic characteristics observed of 
network traffic routed through said first and second routing devices. 
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1 24. The method of claim 23, wherein said determining comprises determining if 

2 undesirable network traffics are being routed out of said first network domain 

3 through said first routing device based on network traffic characteristics observed of 

4 network traffic routed through said second as well as said first routing device. 



1 25. The method of claim 23, wherein said determining comprises determining if 

2 undesirable network traffics are being routed out of said second network domain 

3 through said second routing device based on network traffic characteristics 

4 observed of network traffic routed through said first as well as said second routing 

5 device. 



1 26. The method of claim 23, wherein the method further comprises stopping 

2 undesirable network traffic from being sourced out said first and/or second network 

3 domains. 



1 27. An apparatus comprising: 

2 (a) storage medium having stored therein a plurality of programming 

3 instructions designed to enable the apparatus to monitor network traffic routed by a 

4 first routing device of a first network domain, and determine if the first network 

5 domain is sourcing undesirable network traffic out of the first network domain; and 

6 (b) a processor coupled the storage medium to execute the programming 

7 instructions. 



Wetherali - Detecting & Preventing 
Undesirable Network Traffic ... 



25 



Express Mail Label No: 

EL605310195US 



Attorney Docket Ref: 41007.P004 

1 28. The apparatus of claim 27, wherein the programming instructions enable the 

2 apparatus to make said determination based on differential characteristics of 

3 network traffic routed out of said network domain, and network traffic routed into the 

4 network domain. 

1 29. The apparatus of claim 28, wherein the programming instructions enable the 

2 apparatus to infer said differential characteristics based on aggregated statistics of 

3 said network traffic routed out of said network domain, and aggregated statistics of 

4 said network traffic routed into the network domain. 

5 1 30. The apparatus of claim 28, wherein the programming instructions enable the 

m 2 apparatus to aggregate said differential characteristics based on differential 

n 3 characteristics between request packets routed out of said network domain, and 

m 4 response packets routed into the network domain. 

Si 

3 . 

O 1 31 . The apparatus of claim 27, wherein the programming instructions further 

th b 

Q 2 enable the apparatus to stop undesirable network traffic from being sourced out of 

3 said first network domain. 

1 32. The apparatus of claim 27, wherein the programming instructions enable the 

2 apparatus to monitor network traffic routed by a second routing device of said first 

3 network domain, and determine if the first network domain is sourcing undesirable 

4 network traffic out of the first network domain based on network traffic 

5 characteristics observed of network traffic routed through said first and second 

6 routing devices. 
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1 33. The apparatus of claim 32, wherein the programming instructions enable the 

2 apparatus to determine if undesirable network traffics are being routed out of said 

3 first network domain through said first routing device based on network traffic 

4 characteristics observed of network traffic routed through said second as well as 

5 said first routing device. 

1 34. The apparatus of claim 32, wherein the programming instructions enable the 

2 apparatus to determine if undesirable network traffics are being routed out of said 

3 first network domain through said second routing device based on network traffic 

4 characteristics observed of network traffic routed through said first as well as said 
O 5 second routing device. 

£ 

TP 

5 1 35. The apparatus of claim 32, wherein the programming instructions further 

O 2 enable the apparatus to stop undesirable network traffic from being sourced out said 

I" 3 first network domain. 

5 1 36. The apparatus of claim 27, wherein the programming instructions further 

'i H J 

5 2 enable the apparatus to determine if at least a selected one of the first and a second 

Lai 

3 network domain is sourcing undesirable network traffic out of the selected one of the 

4 first and second network domains based on network traffic characteristics observed 

5 of network traffic routed through said first and second routing devices. 

1 37. The apparatus of claim 36, wherein the programming instructions enable the 

2 apparatus to determine if undesirable network traffics are being routed out of said 

3 first network domain through said first routing device based on network traffic 
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characteristics observed of network traffic routed through said second as well as 
said first routing device. 

38. The apparatus of claim 36, wherein the programming instructions enable the 
apparatus to determine if undesirable network traffics are being routed out of said 
second network domain through said second routing device based on network traffic 
characteristics observed of network traffic routed through said first as well as said 
second routing device. 

39. The apparatus of claim 36, wherein the programming instructions further 
enable the apparatus to stop undesirable network traffic from being sourced out said 
first and/or second network domains. 
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Detecting and Preventing Undesired Network Traffic 
From Being Sourced Out Of A Network Domain 



ABSTRACT OF THE DISCLOSURE 



The present invention provides for a novel approach to protecting a system 
owner's system(s) from being exploited in providing involuntary assistance to a DOS 
attack. The present invention provides the protection by detecting and preventing 
undesirable or inappropriate network traffic from being sourced from a network 
domain. More specifically, a monitor/regulator is provided to monitor network traffic 
leaving a network domain. The monitor/regulator determines if 
undesirable/inappropriate network traffics are leaving the network domain based on 
the observed characteristics of the outbound and inbound network traffics. If it is 
determined that undesirable/inappropriate network traffics are leaving the network 
domain, the monitors/regulator, in one embodiment, at least warns system owners 
of the detection. In another embodiment, the monitors/regulator further issues 
regulation instruction(s) to boundary routing device(s) of the network domain(s), 
thereby preventing the network domain(s) from being exploited to source such 
undesirable/inappropriate network traffics. 
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DECLARATION AND POWER OF ATTORNEY FOR PATENT APPLICATION 

As a below named inventor, I hereby declare that; 

My residence, post office address and citizenship are as stated below, next to my name, 

I believe I am fie original, first and sole Inventor {if only one name is listed below) or an original! 
first, and joint inventor (if plural names are listed below) of the subject matter which is claimed and 
for which a patent is sought on the invention entitled 

Detecting and Preventing Undesirable Network Traffic From Being Sourced Out Of A 

Network Domain 



the specification of which 



''i** IF 

1* 



?'7, 



is attached hereto, 
was filed on 



United States Application Number 

or PCT international Application Number, 
and was amended on 



(it applicable) 

I hereby state that I have reviewed and understand the contents of the above-identified 
specification, including the claimfs), as amended by any amendment referred to above. 

I acknowledge the duty to disclose all information known to me to be material to patentability as 
defined in Title 37, Code of Federal Regulations, Section 1 .56. 

I hereby claim foreign priority benefits under Title 35, United States Code, Section 119(aHd), of 
any foreign applications) for patent or inventor's certificate listed below and have also identified 
below any foreign application for patent or inventor's certificate having a filing date before that of 
the application on which priority is claimed; 



Prior Foreign Applications^ 



Priority 
Claimed 



(Number) 



(Gountry) 



(Day/Month/Year Filed) 



Yes No 



(Number) 



(Country) 



(Day/Month/Year Filed) 



Yes No 



(Number) 



(Country) 



(Day/Month/Year Filed) 



Yes No 



I hereby claim the benefit under title 35, United States Code, Section 1 19(e) of any United States 
provisional application^} listed below 



(Application Number) 



Filing Date 



-1 
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(Application Number) 



Filing Date 



I hereby clam the benefit under Title 35, United States Code, Section 120 of any United States 
application^} listed below and, insofar as the subject matter of each of the claims of this application 
is not disclosed in the prior tinted States application in the manner provided by the first paragraph 
of Title 35, United States Code, Section 1 12, 1 acknowledge the duty to disclose all information 
known to me to be material to patentability as defined in Title 37, Code of Federal Regulations 
Section 1 .56 which became available between the filing date of the prior application and the 
national or PCT international filing date of this application; 



(Application Number) 



Filing Date 



(Status - patented, 

pending, abandoned) 



(Application Number) 



Filing Date 



(Status - patented, 

pending, abandoned) 



I hereby appoint AJoysius T. C. AuYeung, Reg. No. 35,432; Robert A. Diehl, Reg. No. 40,992, 
Jason K. Klindtworth, Reg. No. 47,211 and Robert T. Watt, Reg. No, 45,890 my patent 
attorney/agent; with full power of substitution and revocation, to prosecute this application and to 
transact all business in the Patent and Trademark Office connected herewith, 



Send correspondence to Alovsius T.Q AuYeung B , 

(Name of Attorney or Agent) 
Columbia IP Law Group, ULC, 4900 SW Meadows Rd„ Suite 109, Lake Oswego. OR 97035. 
and direct telephone calls to Aiovsius T.C. AuYeuna . (503) 534-2800. 

(Name of Attorney or Agent) 



I hereby declare that all statements made herein of my own knowledge are true and that all 
statements made on information and belief are believed to be true; and further that these 
statements were made with the knowledge that willful false statements and the like so made are 
punishable by fine or imprisonment, or both, under Section 1001 of Title 1 8 of the United States 
Code and that such willful false statements may jeopardize the validity of the application or any 
patent issued thereon. 



Full Name of First Inventor David J. 
Inventor's Signature 
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ivid J. Wtetheralt 



Date iQ-3l-gO 



Residence 



Seattle. Washington 



{City, State) 



Citizenship Australia 



(Country) 



Post Office Address 301 Summit Ave.. East, Apt. 302 



Seattle. Washington 98102 
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Full Name of Second 1 
Inventor's Signature^- 



R. Savaoe 




Residence 



Seattle, Washington 



(City, State) 



Post Office Address 4137 SW Portland St, 



Date $ 



Citizenship USA, 



(Country) 



Seattle. Washington 98136 



Full Name of Third Inventor Thomas E. Anderson 
Inventors Signature _ 



Date 



Al /og 



Residence 



Seattle, Washington 



(City, State) 



Citizenship USA 



{Country} 



Post Office Address 1201 13* Ave.. East 



Seattle. Washington 98112 
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